Share with Email

Welcome! Defining Digital Forensics and Introducing Myself

Welcome to my blog about Digital Forensics, e-Discovery and the Law. I tried to think of something clever to call it, but that didn’t happen. Should an epiphany occur, I’ll let you know.

My name is Monique Ferraro and I’m a digital forensics, information security and e-discovery consultant and practitioner who also has an active law practice in Waterbury, CT. I’ve been in the field of digital forensics now for fifteen or so years. I’ve been admitted to the practice of law about the same amount of time.

First, I’ll talk about digital forensics and what it is. The blog will talk a lot about digital forensics topics, recent decisions affecting the field, tools of the trade, information security and data breach and e-discovery. In this post I’m going to try to define digital forensics and then I’ll tell you more than you ever wanted to know about me.

There are two parts to digital forensics. First there’s the digital part. Then, there’s the forensics part. The digital part is easy. All things digital. The field used to be referred to as computer forensics, and many people still call it that. But it’s broader than just computers, because we’re looking at information on computing devices of all sorts, such as personal computers, mobile devices like cellphones and tablets, GPS devices, black boxes from motor vehicles, hard drives from gaming devices or copying machines—if it holds information in digital form, that’s what we’re talking about. The field also embraces the Internet and all the data stored on its servers and routers, emails, chat logs, social media, wherever it may reside.

The other part of the definition is forensics. The term, “forensics,” has suffered abuse. It is not necessarily what people think it is. The word, “forensic” means pertaining to the law or public discussion or debate. “Forensic science” refers to science as it pertains to the law.

In the beginning. . . when digital forensics started to be practiced among law enforcement, there was, and in many places there continues to be considerable debate about whether or not digital “forensics” is a real science or if it is something that requires only a “fact” witness anyone can attest to.

Certainly, the field of digital forensics isn’t something that a computer science major learns in a computer science program. Nor will a management information systems student learn what it’s all about.

Likewise, digital forensics isn’t something that a police officer is qualified to perform by virtue of wearing a badge or attending a couple of classes. A computer science major without any law enforcement or legal training is just as unqualified to perform digital forensics as a police officer or lawyer without any computer science instruction or experience.

I will reveal my bias here, which I will do on the occasions I have a bias to reveal: whenever someone says that a device reveals the truth on its own, I call bs. It’s usually wishful thinking on the part of law enforcement officers who would like to shortcut the legal requirements necessary to properly authenticate and present the evidence. There absolutely is a digital forensic science and that science has a set of rules and requirements just the same as any other science. It is for the digital forensic scientist to learn, master and pass along to others.

People who argue that, “it is what it is,” meaning that what one finds on a digital device simply speaks for itself and no expertise or scientific analysis is required are ignorant of the entirety of forensic science and the law that was built before it and around it. What a computer screen displays no more demonstrates the “facts” than a radar gun captures the true speed that a car was traveling or a breathalyzer device captures the blood alcohol level of the person tested. The test results must be interpreted by someone qualified to do so and the tool used must be tested to ensure its accuracy. Furthermore, in order to ensure that the tool is properly tested, it must be tested by someone qualified to do so and such testing adequately documented.

What I’ve found in my many years of experience is that those who wish to shortcut the system often try to have their cake and eat it, too. They are the same people who argue that it’s good enough to estimate a person’s speed because they’ve been doing it a long time. Police officers make mistakes regarding the speed of vehicles and do so disproportionately according to the type of the vehicle. For example, people often believe motorcycles are traveling faster than their actual speed. That’s the purpose of requiring independent scientific evidence, such as a radar measurement. Police officers receive specialized training in how to conduct radar measurement. Sometimes, they do not properly operate the machinery. Sometimes, the machines aren’t properly calibrated. Sometimes, the machines are broken and obtain the wrong result.

When it comes to a case involving digital evidence, we can analogize to the speeding case. What’s your level of comfort? Is it with the police officer who eyeball’s the motorcycle and says it was, “going about 70”? Most people who get a ticket don’t even ask how they were caught. They just pay the ticket. But, if the ticket is $1000.00, or if the ticket involves a long period of incarceration or losing one’s license, that’s a different story. You might consider taking a closer look at the evidence then. You might inquire as to whether your speed was calculated by eyeballing you or by radar. If your speed was calculated by radar, you might consider actually hiring a lawyer and having her find out if the person operating the gun did so correctly. You might want to find out if the radar gun was properly calibrated and if it was properly certified.

Of course, there are times when evidence is what it is and there’s no disputing the facts. However, that isn’t always the case, is it, and there’s an entire panoply of litigation issues in which digital evidence comes intdfo play and needs to be preserved, documented, produced, analyzed, reported on and attested to.

I refer to that field pretty broadly as digital forensics, but it really incorporated e-discovery, which is the discipline of obtaining electronically stored information in anticipation of litigation and information security, at least to some extent. This blog will address those issues. Now, I’ll tell you about me and why I got involved in all of this.

People ask me two questions—first, why Waterbury, CT? I always say, Why not? It was the closest city to where I was living when I decided to really give my practice a go of it and it’s centrally located in Connecticut.

The other question, which requires a little more explaining, is, “how did you get involved in digital forensics?” When I was in graduate school, back in 1986 at Northeastern in Boston, we were the first or second year of students who were required to use personal computers to write all of our papers. We were also required to use the mainframe computer there to conduct research and write computer programs. It was something I came to truly enjoy. Yet, it was also something that I came to appreciate as a burgeoning nemesis.

I’ll tell you why I say, “nemesis.”

One day, as I was exiting the library back in 1987, I clutched to my chest a 5 ¼” floppy disk containing a 30 page research paper and all of my research citations that I had spent the past three weeks of my life toiling away at. At the time, there were warnings posted at the library that said to place storage media on the table by the magnetic screening devices before passing through. The devices back then did the same thing they do now—they screened for theft. These devices used powerful magnets to do so. Unfortunately, the storage media at the time was very susceptible to being damaged by magnetic fields.

Anyone who knows me well knows that I can be forgetful. I forgot to place the floppy disk containing my masterpiece. . . my magnum opus. . . on the table next to the screening device. I was utterly horrified. I wondered what could have happened to it. Would it be irretrievably lost? Ummmmmm. . . . short answer? Yes. Gone forever. I’d like to say that the paper I wrote to replace it was just as good, but who will ever know? That, my friends, was the genesis of my curiosity and commitment to all things digital forensic, information security, litigation discovery of electronically stored information and the nexus that increasingly occurs among computing, the law and the justice system.

Purely by serendipity, I got a job with the Crimes Analysis Unit of the Connecticut Department of Public Safety. They ran out of milk and I offered to go get it. I got the job.

My assignment was to design the domestic violence arrest reporting program and then to compile the statistics and prepare the periodic reports. They got their first pc a couple of months after I started and wouldn’t let anybody touch it. Despite telling them I knew how to use it and promising that I wouldn’t break it, it took months before they’d let me use it. Once I was able to persuade them that I actually did know how to turn the thing on and did know how to operate it, the people in my unit started coming to me when they needed help. When you work for the government, it’s a lot easier to go to the informal expert than it is to wade through the bureaucracy to figure out who is really supposed to help you.

Nine times out of ten, at least back then, the person who was supposed to (at least theoretically) supposed to help you had no idea what to tell you. There were contracts with vendors from another state and the person at headquarters would call the person in Massachusetts and get back to you in a couple of days or a week or not get back to you at all. It was a lot more expedient to just walk a couple of steps to my office or pick up the phone and call me and I’d go help the person. I found this to be true especially with the women with whom I worked, who were very well educated and reticent to look incompetent. At least that’s one theory of mine.

In addition to developing pc skills, I gained a lot of experience designing programs. There were several other legislatively mandated statistical reporting programs that I worked on while I was at the Crimes Analysis Unit. The one that I found most interesting was the Sex Offender Unit, because it had been in existence for many years—since the 1970’s, I believe—and it contained a large amount of data. It was the first sex offender registry in the state. It became a model for a sex offender intelligence database that was discontinued when the conviction registry began.

My next assignment was with the Criminal Intelligence Unit within the Division of State Police. The State Police in Connecticut are under the Department of Public Safety. There, they had a grant to develop a statewide intelligence sharing system. We took the legacy data from a proprietary secure network and designed a legally compliant, secure, pc-based system.

There, I learned a lot about information security. I also learned about the importance of backing up data, redundancy and all manner of important aspects of data management for both professional and personal reasons. Either due to karma, biorhythms, fortuity, the Hand of God or some other force of the universe, I suffer from an abnormal number of hard drive failures and data losses—both in my personal life and at work. This has always been the case. Imagine a dual floppy system wherein you’ve spent two weeks entering data you have collected for a research project that truly is mind-numbing in its level of detail. You pull the floppy disk out without saving the data and lose all of it. All of it. Allow me to reiterate: All of it.

So, back ups, redundancy and information security is important to me.

During the time that I worked in the Intelligence Unit, I went to law school. Also during that time, an old friend was arrested for possessing child pornography on his computer. I really had no idea how he perpetrated the offense, what it consisted of or what was involved in the investigation, but the FBI was involved and he was sentenced to a year in federal prison. My research interests from graduate school and law school all coalesced—family violence (sex abuse and ncest), violence against women and children, and technology. I had always known that criminals, and in particular sex offenders, despite the unsavory topic, utilize the latest technology available to both perpetrate and obfuscate their criminal activity. As technology goes, there is no doubt criminals will be at the forefront and law enforcement and then lawyers and later the judicial system will be following.

So, I wrote a couple of papers on the subject and found it utterly fascinating. There are few areas of the law that bring together emerging technology issues as well as fundamental legal principles such as search and seizure, the First Amendment, the Commerce Clause, copyright and Full Faith and Credit, just to name a few. Back at work, there was talk of forming a computer crimes unit. And, there was also talk of applying for a grant to form an Internet Crimes Against Children Task Force (ICAC).

After having written many successful grant proposals and implementing them at public safety, I left in 2005 to raise my son and to teach full time. I’ve taught digital forensics at the undergraduate and graduate level, criminal justice, legal studies and women’s studies for more than ten years now both on ground and online.

In 2007, I started my digital forensics and consulting firm, Technology Forensics, LLC, and it has grown since. I always had a small legal practice, but opened an office in downtown Waterbury where I do personal injury, criminal and general practice work. I’ve found that juggling the three things—digital forensics, the law practice and teaching—can be a challenge. But, I always have my two kids to keep me balanced. . .

I have also written quite a bit—co-wrote a book, book chapters, too many articles to even try to count—about digital forensics and the law.

No introductory piece would be complete without mentioning my dog, Henry. Henry is my 5 pound Yorkie who comes to work with me every day. He has 5,000 friends on facebook and at least 6-10 people come in to visit him every day. He’s been featured in the newspaper and on cable tv. No. I’m not joking. He’s definitely more popular than I am, and he’s definitely the reason why some of my clients have hired me. Takes the edge off of going into a lawyer’s office or a digital forensics’ expert’s office. Besides, he’s good company, he doesn’t eat much and he keeps secrets pretty well.

So, when I do stupid stuff like accidentally erase files or format the wrong drive, I now can save myself. The whole purpose of the past many years was to save myself even more time either rewriting a 30-page paper or reinventing something.